Double reverse proxy with SWAG - is this possible?

I have a SWAG container running on my home server, exposing several services via subdomains of a domain I own (let’s call it home-prod.example). This works as expected.

I’ve recently put together some hardware for a lab box which I’d also like to have accessible from the internet. One of the things I’d like to experiment with on the lab box is SWAG itself, which would expose it’s own services as subdomains of a different domain I own (let’s call it home-lab.example).

The solution I’m picturing looks something like this:

  • Everything that hits my home router on 80/443 is sent to the home-prod box. home-prod.example services and SSL certs are handled by SWAG as expected. This is what I have now.

  • Any requests for home-lab.example are passed through to the lab box as is. I’d like services and SSL certs for home-lab.example to be handled by SWAG on the lab box. This is where I’m stuck.

Most recently, I tried adding this to the top of my NGINX default config on the prod box:

server {
	listen 80 http2;
	listen [::]:80 http2;

	server_name home-lab.example;
	client_max_body_size 0;

	location / {
		proxy_pass http://192.168.1.171;
		proxy_set_header X-Original-Host $http_host;
		proxy_set_header X-Original-Scheme $scheme;
		proxy_set_header X-Forwarded-For $remote_addr;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

 	server_name home-lab.example;
	client_max_body_size 0;

	location / {
		proxy_pass https://192.168.1.171;
		proxy_set_header X-Original-Host $http_host;
		proxy_set_header X-Original-Scheme $scheme;
		proxy_set_header X-Forwarded-For $remote_addr;
	}
}

The SWAG container on the lab box keeps failing the LetsEncrypt challenge because it isn’t reachable from the internet. I’ve tried replicating this setup in AWS with fresh SWAG installs, but haven’t had any luck there either. So what I’m asking is this:

  1. Is a double reverse proxy setup like I’ve described above even possible?
  2. If it is, what should my NGINX configs look like on the prod box to make this passthrough work?

Thanks!

you’ll need to use dns (not http) validation on the 2nd swag instance
use the template on swag1, change upstream_app to the ip of swag2’s host change upstream_port to the exposed port on swag2’s host. Ie; if you access lab app by http://192.168.0.1:5000 then that is your upstream_app and upstream_port.

you’ve added superfluous complexity by trying to run 2 without 2 WAN ips, but it can be done as shown above. Personally, i would suggest just putting both domains on the primary swag box though, but it is what it is :smiley:

1 Like

Looks like switching to dns validation is what I was missing - I’m up and running. Had to tweak my the server blocks at the top of home-prod config like this:

server {
	listen 80 http2;
	listen [::]:80 http2;

	server_name *.home-lab.example;
	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.171;

	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

 	server_name *.home-lab.example;
	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.1.171;
	}
}

(Note the wildcard before the server_name to get the subdomains)

Agreed. I’ve patchworked my current setup together over the last few years into something that’s becoming difficult to maintain. Planning to blow everything away soon and rebuild with Ansible, but needed a way to do test runs without disrupting the services that are already running.

Thanks for the help!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.